Gamaredon and UAC-0226 WinRAR exploitation in Ukrainian organizations
Case score 60
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 60
- Main story score
- 57
- Related evidence lift
- +3 / 20
- Contributing updates
- 1
- Context updates
- 0
- Campaign Anchors the dossier with the Ukrainian target set, original intrusion chain, stealth tradecraft, and baseline remediation guidance. main
- Campaign Expands the same WinRAR CVE-2025-8088 activity with later Earth Dahu timing and a parallel UAC-0226 chain using startup persistence, PowerShell, and GIFTEDCROOK. contributes
-
Old: Gamaredon fileless WinRAR intrusion chain in Ukrainian state and infrastructure networksNew: Gamaredon and UAC-0226 WinRAR exploitation in Ukrainian organizationsWhy old title changed: The previous title centered a single Gamaredon fileless intrusion chain in state and infrastructure networks, but the accepted scope now includes a separately described UAC-0226 startup-LNK and GIFTEDCROOK chain and broader Ukrainian-organization targeting tied to the same WinRAR exploitation.The new title better reflects the reader-facing scope by foregrounding the shared WinRAR exploitation and the two named operations now covered, while keeping the fixed URL unchanged.
Overview
Latest development Open development history Trend Micro attributes WinRAR exploitation to Earth Dahu and SHADOW-EARTH-066 Trend Micro attributes the WinRAR exploitation against Ukrainian organisations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226), saying both groups weaponized CVE-2025-8088 after WinRAR patched it in July 2025. SHADOW-EARTH-066 used crafted RAR archives with hidden ADS payloads, a Startup-folder LNK, a PowerShell loader via cmd.exe, and in-memory DLL loading to launch GIFTEDCROOK, while Earth Dahu used an HTA-to-VBScript chain that delivered espionage modules.
-
Earth Dahu exploitation chain remains active on April 10, 2026
Earth Dahu used CVE-2025-8088 in an HTA-to-VBScript infection chain that delivered espionage modules against Ukrainian organisations, and Trend Micro says RAR internal file timestamps and file naming conventions show the chain remained active through at least April 10, 2026.
-
Gamaredon worm hides inside NTFS Alternate Data Streams on Ukrainian networks
Sekoia identified a Gamaredon worm used against Ukrainian networks that hides its modules in NTFS Alternate Data Streams, relies heavily on fileless VBScript, and begins from a booby-trapped xHTML file that delivers a malicious RAR archive exploiting CVE-2025-8088 in WinRAR. The campaign targets Ukrainian government, military, and critical infrastructure networks for document theft and long-term access, and defenders were advised to update WinRAR to version 7.13 or later and wipe infected systems when cleanup fails.